Bankers anticipate code-breaking machine

May 18, 1999
Web posted at: 12:57 p.m. EDT (1657 GMT)

by Ann Harrison

(IDG) -- A computer design unveiled earlier this month could unlock messages encrypted with 512-bit encryption keys. But some businesses -- including the nation's largest banking organization -- already are prepared for it.

Kawika Daguio, technology policy consultant at the Washington-based American Bankers Association (ABA), said his organization is already recommending that members encrypt data with keys stronger than those commonly in use. He said the ABA has recommended that members move rapidly to the Triple Data Encryption Standard (DES) for critical applications when the risk justifies it. Triple DES provides 168-bit encryption. The ABA's Ecom online banking project will use 1,024-bit public keys, and 2,048-bit keys for certificate authorities where applicable.

Shoot for 256

The National Institute of Standards and Technology is trying to create an advanced encryption standard. Daguio said the effort should focus on 256 bits for long-term encryption solutions instead of the current 128-bit target. "I am looking 15 to 20 years out rather than the short term," he said.

The new computer design, The Weizmann Institute Key Locating Engine (Twinkle for short), uses optical factoring techniques to determine the correct key for unscrambling messages secured with 512-bit keys. It speeds up the "sieving" process of factoring large numbers used to attack RSA Data Security Inc.'s public-key algorithm. The algorithm is a de facto encryption standard co-developed by Adi Shamir, who designed Twinkle. Shamir estimated that the device can be built for about $5,000 after the design process is complete.

Scientists at RSA in San Mateo, Calif., acknowledged that Twinkle puts data encrypted with 512-bit RSA keys at greater risk. Even before learning of Twinkle, RSA scientists concluded that 512-bit keys would soon be vulnerable; the company now recommends that software developers choose a minimum key size of 768 bits for user keys and 1,024 bits for enterprise keys.

Although some businesses require military-grade encryption of 2,048 bits or higher, most don't need it to secure casual communications or routine requests for information, Daguio said.

"Where you need to do the job right, overdo it a little bit. But we can't overburden business applications beyond what the security case or the business case calls for," he said. Businesses should make sure they don't rely on any one security technology, vendor or implementation to safeguard their data, Daguio added.